Rogue AV Theatrics on Extended Run

Rogue antivirus programs continue to plague our customers as submissions this September echoed August’s top malware profile. FAKEAV variants and components vicitimized users from all over the world. These threats are still among the most common case submissions we have been receiving even just two weeks into September.

What happens from that point onward may vary, but the objective remains to convince the user through a variety of system modifications and invasive warning signals that something is wrong with their PCs. These scare tactics include showing fake Windows popup balloons, modifying the PC’s wallpaper to an alarming message, and performing an unsolicited system scan that yields worrying scan results.

Here we highlight two of the latest attacks we’ve seen which are both multi-component in nature and have presented unique difficulties in terms of cleanup. While it is difficult to determine whether these rogue AV programs, WinAntispyware 2008 and Antivirus XP 2008, are related to the spate of Antivirus 2009 attacks seen in August, their prevalence this September suggests that it is time to pay these types of attacks the attention they deserve.

Both require the user to have clicked on a link or opened an attachment that led to the download of a Trojan dropper onto their systems. TROJ_FAKEAV.RIT follows the more conservative path as it depends on an Internet connection to see the attack through its end. It first drops some files, some of which run at restart to download another file from the Internet. This file is not the rogue AV yet, it is just a program that displays a fake popup saying that the system is infected. It is when the user clicks on the popup balloon that the rogue AV continues the rest of the show: by displaying a fake security console GUI, then performing a fake scan, then showing fake results, convincing the user to purchase a full version.

Losing $50 for a fake program is bad enough, but victims should be worrying, though, about losing much, much more. After all, once hackers get their hands on credit card information there is no telling what risks are in store for victims.

Figure 1. WinAntispyware 2008 product purchase page

The second notable attack we’ve seen is by TROJ_FAKEAV.IE because of its more wholesale approach to delivering the attack. Instead of relying on Internet connection every step of the way, all it takes to risk an infection from this program is the download of the Trojan dropper TROJ_FAKEALER.DQ. This dropper gives its all: files to help scare the user like a wallpaper and a screensaver–and even the rogue AV program itself. Perhaps the mind behind this attack wants to take as much advantage as it can of its foot in the door.

It modifies the system’s wallpaper and screensaver settings so the first thing the user will notice is his/her desktop image had changed. If he decides to investigate he will see that the Desktop and Screensaver tabs from the Desktop Properties are missing. A few seconds into suspecting that something is wrong, a EULA comes out from nowhere.

Figure 2. Antivirus XP 2008 Fake EULA

If the user clicks on Agree and Install (after all the EULA looks like most program EULAs which people do not really read), the system immediately conducts a system scan and shows a fake scan results page. After this the browser opens a window where the user is asked to give his contact information.

Figure 3. Antivirus XP 2008 product purchase discount page

The attacker might have a slightly diffierent intention, but the attack’s risks are no less dangerous. By obtaining the victims’ name, phone and email address, hackers can steal user identities and perform social engineering attacks using the victims’ credentials. Email addresses can be sold to spammers as active accounts.

Security Predictions for 2018

Attackers are banking on network vulnerabilities and inherent weaknesses to facilitate massive malware attacks, IoT hacks, and operational disruptions. The ever-shifting threats and increasingly expanding attack surface will challenge users and enterprises to catch up with their security.Read our security predictions for 2018.

Business Process Compromise

Attackers are starting to invest in long-term operations that target specific processes enterprises rely on. They scout for vulnerable practices, susceptible systems and operational loopholes that they can leverage or abuse. To learn more,
read our Security 101: Business Process Compromise.